Getting Data In

Index monitored file initially

gallantalex
Path Finder

Hi, it seems like this should be something simple, but I was unable to find this anywhere in the documentation or past questions.

I want the Splunk to index the initial file that I am going to monitor even if the file was not modified. It seems like when I monitor some file, it only gets indexed if a change occurs which is fine. But if I just started monitoring some file, I need to seem some indexed data that I will be able to query.

Here is my current configuration in the input.conf file. Also, this is on a forwarder if that makes any difference.

[monitor://C:\Testing\]
whitelist = config
alwaysOpenFile = 1
disabled = 0
interval = 60
followTail = 0
index = configindex
_TCP_ROUTING = rcvr_9903

Thanks.

Tags (1)
0 Karma
1 Solution

Simeon
Splunk Employee
Splunk Employee

Splunk has internal tracking of files so that it does not reindex files. You can force Splunk to reindex data by using CRC Salt. If you add the following setting to your stanza, the file will be reindexed:

crcSalt = <SOURCE>

Here is an excerpt from the documentation regarding this setting:

crcSalt = <string>

If set, this string is added to the CRC.
Use this setting to force Splunk to consume files that have matching CRCs.
If set to crcSalt = <SOURCE> (note: This setting is case sensitive), then the full source path is added to the CRC.

We typically do NOT recommend adding this as you will confuse Splunk regarding what files need to be indexed in addition to how much of that file has been indexed.

View solution in original post

0 Karma

Simeon
Splunk Employee
Splunk Employee

Splunk has internal tracking of files so that it does not reindex files. You can force Splunk to reindex data by using CRC Salt. If you add the following setting to your stanza, the file will be reindexed:

crcSalt = <SOURCE>

Here is an excerpt from the documentation regarding this setting:

crcSalt = <string>

If set, this string is added to the CRC.
Use this setting to force Splunk to consume files that have matching CRCs.
If set to crcSalt = <SOURCE> (note: This setting is case sensitive), then the full source path is added to the CRC.

We typically do NOT recommend adding this as you will confuse Splunk regarding what files need to be indexed in addition to how much of that file has been indexed.

0 Karma

gallantalex
Path Finder

Thanks for you solution, it did work but the alwaysOpenFile setting still has to be enabled. I was hoping to not use this setting since it is said to slow down indexing, but without it crcSalt does not index the file initially. I guess that is ok since the file will only be indexed once a day at most.

I did see the crcSalt setting before but the description did not help me recognize that that is the setting I was looking for.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...